You are designing the network architecture for an Azure Kubernetes Service (AKS) cluster.

The cluster will host hundreds of microservices. You have a strict requirement that every pod must receive an IP address from the Azure Virtual Network subnet so that on-premises resources connected via ExpressRoute can route traffic directly to individual pods.

Which AKS network plugin must you use?

With Azure Container Networking Interface (CNI), every pod gets an IP address from the subnet and can be accessed directly. These IP addresses must be unique across your network space, and must be planned in advance. This allows on-premises resources connected via ExpressRoute or VPN to communicate directly with the pods. Kubenet uses an overlay network where pods get IPs from a private, non-routable space, and traffic is NAT'd through the node's IP.